Splunk Search

Extract a field/or a single value from a scheduled alert table

smhsplunk
Communicator

So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)

currently it is only

<table>
<search ref="alert_objects"></search>
</table>

is it possible to search in this like

<table>
<search ref="alert_objects"> | search * host="$host_token$" 
 table total_time</search>
</table>
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

Replace

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

Replace

<table>
 <search ref="alert_objects"></search>
 </table>

With Updated

<form>
...other xml portions..
<search ref="alert_objects" id="base_alert_objects" ></search>
....
 <table>
 <search base="base_alert_objects"> <query> search * host="$host_token$" |  table total_time</query></search>
 </table>
...
</form>

smhsplunk
Communicator

awesome it works!

0 Karma

smhsplunk
Communicator

This should work but it is giving me the entire table again, seems like its ignoring this entire part

search * host="$host_token$" |  table total_time

I have

<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
  <search base="base_alert_objects">  search * host="$host_token$" |  table total_time</search>
  </table>
</panel>
</row>
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I missed the query tag in there. Try the updated one.

inventsekar
Ultra Champion

<search ref="alert_objects"></search>
is not the search query.

can you copy and paste the whole xml please..
or, the <query> part.

0 Karma

smhsplunk
Communicator

The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)

index=main host="*"   
                  | transaction startswith="StartSession" endswith="EndSession" by source   
          | appendpipe [ | stats count | where count = 0 | eval duration=0]
                  | eval session_per_source = duration 
                  | stats sum(session_per_source) as total_time by host
                  | table host, total_time
                  | fillnull value=NULL 

I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...